EPM System security determines user access to applications using the concept of roles. Roles are permissions that determine user access to application functions. Some EPM System products enforce object-level ACLs to further refine user access to their artifacts such as reports and members.
Each EPM System product provides several default roles tailored to various business needs. Each application belonging to an EPM System product inherits these roles. Predefined roles from the applications registered with Shared Services are displayed in the Shared Services Console. You may also create custom roles that aggregate the default roles to suit specific requirements. These roles are used for provisioning. The process of granting roles and object ACLs belonging to EPM System applications to users and groups is called provisioning.
Native Directory and configured user directories are sources for user and group information for provisioning. Using Shared Services Console, you can browse and provision users and groups from all configured user directories.
This illustration is an overview of the authorization process:
After a user is authenticated, the EPM System product queries user directories to determine the user's groups.
EPM System product uses group and user information to retrieve the user's provisioning data from Shared Services. The product uses this data to determine which resources a user can access.
EPM System application roles determine the features that users can access. Data or object access security is handled through finer permissions defined within each application.
Role-based provisioning of EPM System products uses these concepts.